Attackers can abuse Yahoo developer feature to steal user emails, other data

Yahoo's YQL console is open to cross-site abuse, a security researcher says

By Lucian Constantin, IDG News Service |  Security

Yahoo did not respond to a request for comment regarding Bogdan's proof-of-concept attack presented at DefCamp and the solution he suggested.

Bogdan hasn't been doing Web vulnerability research for a long time. However, he recently earned a cash reward from Google and a listing in the company's Application Security Hall of Fame for finding and reporting a vulnerability in one of the company's websites.

Google, Mozilla, Facebook and PayPal run bug bounty programs through which they pay researchers who responsibly disclose vulnerabilities found in their websites. Other companies, such as Microsoft, don't hand out monetary rewards but recognize the help received from researchers by publishing their names on special thank-you pages on their websites.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness